mschapv2

package
v0.4.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 22, 2026 License: MIT Imports: 13 Imported by: 0

Documentation

Index

Constants

View Source 
const TypeMSCHAPv2 protocol.Type = 26

Variables

This section is empty.

Functions

func DebugStaticCredentials 

func DebugStaticCredentials(user, password []byte) func(req AuthRequest) (*AuthResponse, error)

func Protocol 

func Protocol() protocol.Payload

Types

type AuthRequest 

type AuthRequest struct {
	Challenge     []byte
	PeerChallenge []byte
}

type AuthResponse 

type AuthResponse struct {
	NTResponse            []byte
	RecvKey               []byte
	SendKey               []byte
	AuthenticatorResponse string
}

type FailureRequest added in v0.4.0 

type FailureRequest struct {
	*Payload
	Message string
}

FailureRequest is the MS-CHAP-V2 Failure packet the server sends to a peer that failed authentication (draft-kamath-pppext-eap-mschapv2 §4, RFC 2759 §6). Unlike a Challenge it carries no challenge value; its body is the formatted "E=<err> R=<retry> C=<challenge> V=<ver> M=<message>" string.

func (*FailureRequest) Encode added in v0.4.0 

func (fr *FailureRequest) Encode() ([]byte, error)

Encode serialises the Failure packet: OpCode, MS-CHAPv2 ID, MS-Length, then the message body (mirrors SuccessRequest.Encode, which also omits the value-size byte that only a Challenge needs).

type OpCode 

type OpCode uint8
const (
	OpChallenge OpCode = 1
	OpResponse  OpCode = 2
	OpSuccess   OpCode = 3
	OpFailure   OpCode = 4
)

type Payload 

type Payload struct {
	OpCode     OpCode
	MSCHAPv2ID uint8
	MSLength   uint16
	ValueSize  uint8

	Challenge []byte
	Response  []byte

	Name []byte
	// contains filtered or unexported fields
}

func (*Payload) Decode 

func (p *Payload) Decode(raw []byte) error

func (*Payload) Encode 

func (p *Payload) Encode() ([]byte, error)

func (*Payload) Handle 

func (p *Payload) Handle(ctx protocol.Context) protocol.Payload

Handle runs the MS-CHAPv2 exchange: on start it issues the random server Challenge; on the peer Response it asks the consumer to authenticate, compares the expected and received NT-Response in constant time, and on a match drives the Success packet and the protected result. The consumer-supplied MPPE keys are attached to the Access-Accept in ModifyRADIUSResponse.

func (*Payload) ModifyRADIUSResponse 

func (p *Payload) ModifyRADIUSResponse(r *radius.Packet, q *radius.Packet) error

func (*Payload) Offerable 

func (p *Payload) Offerable() bool

func (*Payload) String 

func (p *Payload) String() string

func (*Payload) Type 

func (p *Payload) Type() protocol.Type

type Response 

type Response struct {
	Challenge  []byte
	NTResponse []byte
	Flags      uint8
}

func ParseResponse 

func ParseResponse(raw []byte) (*Response, error)

type Settings 

type Settings struct {
	AuthenticateRequest func(req AuthRequest) (*AuthResponse, error)
	// AuthenticateRequestWithContext is the preferred hook when the caller needs
	// request/session-aware policy decisions. AuthenticateRequest remains
	// available for generic consumers that only need the challenge material.
	AuthenticateRequestWithContext func(ctx protocol.Context, req AuthRequest) (*AuthResponse, error)
	ServerIdentifier               string

	// Standalone selects the outer EAP-MSCHAPv2 flow (EAP type 26 run directly as
	// the outer method, per draft-kamath-pppext-eap-mschapv2), rather than as a
	// PEAP-tunnelled inner method. In standalone mode a successful exchange ends
	// with an outer EAP-Success (instead of a PEAP result TLV) and a failed one runs
	// the MS-CHAP-V2 Failure sub-protocol (RFC 2759 §6). Default false preserves the
	// PEAP-inner behaviour unchanged.
	Standalone bool

	// OnResult, when set, is invoked once with the password verdict: success=true
	// when the peer's NT-Response matched the expected one, false on mismatch. It is
	// a side-effect hook for the consumer (e.g. access/reject auditing) and must not
	// influence the exchange. It is NOT called for backend/credential errors raised
	// by AuthenticateRequest(WithContext) — the consumer already has those.
	OnResult func(ctx protocol.Context, success bool)
}

type State 

type State struct {
	Challenge       []byte
	PeerChallenge   []byte
	IsProtocolEnded bool
	AuthResponse    *AuthResponse
	// AuthFailed is set in standalone mode after the server sends an MS-CHAP-V2
	// Failure-Request, so the peer's Failure-Response is recognised and turned into
	// an outer EAP-Failure.
	AuthFailed bool
}

type SuccessRequest 

type SuccessRequest struct {
	*Payload
	Authenticator []byte
}

func (*SuccessRequest) Encode 

func (sr *SuccessRequest) Encode() ([]byte, error)

A success request is encoded slightly differently, it doesn't have a challenge and as such doesn't need to encode the length of it

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.